C#WCF肥皂标志Sha256“密钥集不存在”

时间:2014-12-16 12:14:21

标签: c# wcf soap sign

我称之为需要WSS的Web服务。 TimeStamp和Body块应该由Digital Signature签名(我使用USB令牌)

我使用AsymmetricSecurityBindingElement来完成这项工作。

如果使用DefaultAlgorithmSuite,签名请求消息可以正常运行。 但是,当DefaultAsymmetricSignatureAlgorithm类改为RsaSha256SignatureCustomDefaultAlgorithmSuite时,它会抛出

  

" CryptographicException:keyset不存在" (在行:durum response = proxy.getBatchStatus(" 1"); 

X509Certificate2 certificate = null;

            X509Store store = new X509Store("MY", StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

            X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;

            foreach (X509Certificate2 cert in collection)
            {
                if (cert.Subject.Contains("SERIALNUMBER=26635982214"))
                {
                    if (cert.NotAfter > DateTime.Today)
                    {
                        certificate = cert;
                    }
                }
            }

            CustomBinding binding = new CustomBinding();
            AsymmetricSecurityBindingElement securityElement = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);

            securityElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            securityElement.IncludeTimestamp = true;
            securityElement.EnableUnsecuredResponse = true;
            securityElement.AllowInsecureTransport = true;
            securityElement.SetKeyDerivation(false);
            securityElement.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
            securityElement.DefaultAlgorithmSuite = new CustomDefaultAlgorithmSuite();
            securityElement.SecurityHeaderLayout = System.ServiceModel.Channels.SecurityHeaderLayout.Strict;
            securityElement.RequireSignatureConfirmation = false;

            X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial);
            x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
            x509ProtectionParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.RawDataKeyIdentifier;
            x509ProtectionParameters.RequireDerivedKeys = false;
            securityElement.InitiatorTokenParameters = x509ProtectionParameters;

            binding.Elements.Add(securityElement);
            binding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap12, Encoding.UTF8));
            binding.Elements.Add(new HttpsTransportBindingElement());

            AddressHeader[] addressHeaders = null;
            EndpointAddress endpoint = new EndpointAddress(new Uri("https://uygtest.edefter.gov.tr/edefter/services/EDefterWSPort"), EndpointIdentity.CreateDnsIdentity("*.edefter.gov.tr"), addressHeaders);

            EDefterWSClient proxy = new gibService.EDefterWSClient(binding, endpoint);
            proxy.ClientCredentials.ClientCertificate.Certificate = certificate;
            string serverCertFilePath = Path.Combine(Application.StartupPath, "edefter.gov.tr.crt");
            proxy.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(serverCertFilePath);
            proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;

            durum response = proxy.getBatchStatus("1");
  

堆栈跟踪:      konum:System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters,Boolean randomKeyContainer)      konum:System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType,CspParameters参数,Boolean randomKeyContainer,Int32 dwKeySize,SafeProvHandle& safeProvHandle,SafeKeyHandle& safeKeyHandle)      konum:System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()      konum:System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize,CspParameters parameters,Boolean useDefaultKeySize)      konum:System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)      konum:System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey)      konum:System.ServiceModel.Security.WSSecurityOneDotZeroSendSecurityHeader.CompletePrimarySignatureCore(SendSecurityHeaderElement [] signatureConfirmations,SecurityToken [] signedEndorsingTokens,SecurityToken [] signedTokens,SendSecurityHeaderElement [] basicTokens,Boolean isPrimarySignature)      konum:System.ServiceModel.Security.SendSecurityHeader.CompleteSignature()      konum:System.ServiceModel.Security.SendSecurityHeader.CompleteSecurityApplication()      konum:System.ServiceModel.Security.SecurityAppliedMessage.OnWriteMessage(XmlDictionaryWriter writer)      konum:System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(消息消息,BufferManager bufferManager,Int32 initialOffset,Int32 maxSizeQuota)      konum:System.ServiceModel.Channels.TextMessageEncoderFactory.TextMessageEncoder.WriteMessage(消息消息,Int32 maxMessageSize,BufferManager bufferManager,Int32 messageOffset)      konum:System.ServiceModel.Channels.HttpOutput.SerializeBufferedMessage(消息消息,布尔值shouldRecycleBuffer)      konum:System.ServiceModel.Channels.HttpOutput.Send(TimeSpan超时)      konum:System.ServiceModel.Channels.HttpChannelFactory 1.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout) konum: System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) konum: System.ServiceModel.Channels.SecurityChannelFactory 1.SecurityRequestChannel.Request(消息消息,TimeSpan超时)      konum:System.ServiceModel.Dispatcher.RequestChannelBinder.Request(消息消息,TimeSpan超时)      konum:System.ServiceModel.Channels.ServiceChannel.Call(String action,Boolean oneway,ProxyOperationRuntime operation,Object [] ins,Object [] outs,TimeSpan timeout)      konum:System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall,ProxyOperationRuntime operation)

     

konum:System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

public class CustomDefaultAlgorithmSuite : SecurityAlgorithmSuite
{
    public override string DefaultAsymmetricKeyWrapAlgorithm
    {
        get { return SecurityAlgorithms.RsaOaepKeyWrap; }
    }

    public override string DefaultAsymmetricSignatureAlgorithm
    {
        get { return SecurityAlgorithms.RsaSha256Signature; }
    }

    public override string DefaultCanonicalizationAlgorithm
    {
        get { return SecurityAlgorithms.ExclusiveC14n; ; }
    }

    public override string DefaultDigestAlgorithm
    {
        get { return SecurityAlgorithms.Sha1Digest; }
    }

    public override string DefaultEncryptionAlgorithm
    {
        get { return SecurityAlgorithms.Aes128Encryption; }
    }

    public override int DefaultEncryptionKeyDerivationLength
    {
        get { return 128; }
    }

    public override int DefaultSignatureKeyDerivationLength
    {
        get { return 128; }
    }

    public override int DefaultSymmetricKeyLength
    {
        get { return 128; }
    }

    public override string DefaultSymmetricKeyWrapAlgorithm
    {
        get { return SecurityAlgorithms.Aes128Encryption; }
    }

    public override string DefaultSymmetricSignatureAlgorithm
    {
        get { return SecurityAlgorithms.HmacSha1Signature; }
    }

    public override bool IsAsymmetricKeyLengthSupported(int length)
    {
        return length >= 1024 && length <= 4096;
    }

    public override bool IsSymmetricKeyLengthSupported(int length)
    {
        return length >= 128 && length <= 256;
    }
}

2 个答案:

答案 0 :(得分:0)

您确定在当前用户商店中找到了带有SERIALNUMBER=26635982214的证书吗?你没有任何检查。

此外,WCF客户端运行的用户是什么?检查您要查找的证书是否在正确的商店中。

答案 1 :(得分:0)

我认为您的问题是您的私钥存储在USB令牌/智能卡上,并且此私钥不可导出/可提取或受PIN保护。因此,WCF客户端无法使用此私钥来签署soap消息。

如果您的证书和私钥存储在pfx上,那么您可以像上面提到的那样调用此WS,但在您的情况下,我认为不可能使用wcf客户端来签署soap消息。

相关问题
最新问题